Description

Brief summary: SQL Server 7.0's DTS returns the account name and password used to run a job automatically.

Detailed description: The SQL Server 7.0's Data Transformation Service (DTS) allows a database administrator to set up a package to run database actions at regular intervals and specific times. The package may need to access data as a particular user, and may have to supply that user's password (for example, if sending mail or connecting to an OLE database).

If the administrator does not protect the package with an Owner password, and an unauthorized user can view the area (Server, Repository, or file) in which the package is stored, such a user could query the properties of that package to view any stored passwords.

Components: Server

Operating system(s): Microsoft SQL Server 6.5, 7.0An attacker can read account names and associated passwords

How to detect:

1. Check that "DTSUI.dll" and "Sqlns.dll" are both version 7.00.886. If so, you are not vulnerable.
2. The problem is that the attacker has access to either the SQL server that is running the package, or the package itself. This occurs when the following hold:
   1. The database administrator creating the package to run the detached job used an account name and password rather than Windows authentication.
   2. The DTS package allows anyone to edit it.
   3. The database administrator (SQL Server administrator) allows Guest access to the SQL Server MSDB database.
   4. The SQL Server is registered under an account name and password rather than under Windows authentication.

How to fix: There is both a workaround and a fix.

1. Install the Microsoft patch and re-encipher the data in the Protected Store.
   1. Download the patch for the Microsoft SQL Server 7.0 for your architecture and install them.
   2. Enter Explorer and go to the "Mssql7\Binn" folder. Replace the existing "DTSUI.dll" and "Sqlns.dll" files with the versions from the patch.
2. The workaround involves three parts. The first two are mandatory, the third highly recommended.
   1. Save the DTS packages with an Owner password. This means that only the owner can get access to the properties.
   2. Use Windows NT authentication on the SQL Enterprise Manager.
   3. Delete the Guest user from the MSDB database, and set file access control permissions to prevent anyone but the owner from accessing the packages. The former keeps Guests from accessing packages stored on the Server or the Repository, and the latter protects packages stored as files.

Other information:

Keywords

Cataloguing Information

PA Classification:

RISOS Classification:

Davis Classification:

Common Vulnerability Exposure: Microsoft SQL Server allows local users to obtain database passwords via the Data Transformation Service (DTS) package Properties dialog, aka the "DTS Password" vulnerability. [CAN-2000-0485]

Exploits

Attacks: See Doves exploit #105

Related Information

Advisories:

• Microsoft Security Bulletin MS00-041, Patch Available for "DTS Password" Vulnerability ;
• Security Focus database entry #1292, Microsoft SQL Server DTS Password Disclosure Vulnerability

History

Who reported it: Justin Gunther in Bugtraq on May 26, 2000: reported the problem and gave an exploit

Revision #1

1. Matt Bishop on 7/31/2000
   Initial entry

Dove images © 1999-2000 www.barrysclipart.com